NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/38219: tmpfs rename locking meltdown



>Number:         38219
>Category:       kern
>Synopsis:       tmpfs rename locking meltdown
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Mar 11 14:45:00 +0000 2008
>Originator:     Antti Kantee
>Release:        
>Organization:
>Environment:
>Description:
Due to recent changes to tmpfs_rename in current, it is easy to fool
rename to try to lock against itself.

No NetBSD release is vulnerable to the local panic DoS.
>How-To-Repeat:
cd /tmpfs ; mkdir foo foo/bar ; rename foo/bar foo
(HOX! rename, not mv(1))
>Fix:
Either a) add more indecipherable checks which break down with every
change that hasn't been meditated upon for 10 years or b) fix rename
over all file systems so that it's actually possible for a human to
implement it right.  "a" is trivial and "b" might be slightly more
difficult.



Home | Main Index | Thread Index | Old Index